Malicious PDF — malware analysis report

Static analysis result for SHA-256 17d42299ed7c5f9c…

MALICIOUS

PDF

57.1 KB Created: 2017-06-01 20:17:03 +03:00 Authoring application: iTextSharp’ 5.5.10 ©2000-2016 iText Group NV (AGPL-version)
MD5: 4b56974cf3ce9ed78ffaf3e2263d1744 SHA-1: be1f2ae3739b9632031ba739df5c5041b9d95e48 SHA-256: 17d42299ed7c5f9c5cd09cc7183a6fd50eb643f3dc211870b3bc75293cbf20e9
258 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1566.001 Spearphishing Attachment T1105 Ingress Tool Transfer

The PDF file was flagged as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains embedded files, including a document named 'JPPMAYP1O.doc', and a JavaScript stream. The JavaScript code explicitly calls the 'exportDataObject' function with parameters indicating it intends to launch the embedded 'JPPMAYP1O.doc' file, which is a common technique for delivering second-stage payloads.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 9

  • ClamAV: Doc.Downloader.Jaff-6329915-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Jaff-6329915-0
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Embedded script payload in PDF stream high PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain script execution markers such as ActiveXObject/CreateObject, WScript.Shell, PowerShell, or shell-exec primitives. This is stronger than ordinary PDF JavaScript because it indicates a staged external script payload hidden in stream bytes.
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE
    PDF has 1 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
JPPMAYP1O.zip
903009fce8532924f1b563553078268fb6658e76b1b0ab6df9ca5d1463757beb		 pdf-embedded-file PDF EmbeddedFile object 4 at offset 0x8B4 116 bytes
0.docm
f4632ca7e63bdb96ee9d6fb0c4bcb558b69612fff5c8771ff8489d18fb1dfe1d		 pdf-embedded-file PDF EmbeddedFile object 8 at offset 0xA0A 11370 bytes
1.xlsx
95d44ba9b1684bda97fd78f150794190549cc6712a039efd73b775a8049daec2		 pdf-embedded-file PDF EmbeddedFile object 12 at offset 0x2D27 7723 bytes
JPPMAYP1O_1.txt
baab5e742cf8202fed6589c2b6371d73b42b01f93043f1ead4387f7637fb0871		 pdf-embedded-file PDF EmbeddedFile object 14 at offset 0x4345 194 bytes
JPPMAYP1O.doc
1a027aba7318ae2776f4c139e76c54eda59237563644697f97728b45c78af90b		 pdf-embedded-file PDF EmbeddedFile object 16 at offset 0x4500 94208 bytes
Detection
ClamAV: Doc.Downloader.Jaff-6329915-0
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.
javascript_obj0018_000.js
5c4bb717b9188269686b392aca4160c72b19efb2c02a351ead7b907db507cdff		 pdf-javascript-stream PDF /JS object 18 at offset 0xDE17 127 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.